&gt; I want to add a key to associate my computer with my account and I am given two options

You will need at least the SSH one, if you want to push back to your repository, using an SSH URL (since the public SSH key will authenticate you).  
Start with SSH. See &quot;[Connecting to GitHub with SSH][1]&quot;.

Later, you can [use GPG to sign commits][2].

---

[Vishwas M.R][3] points out in [the comments][4] to &quot;[Why would I sign my git commits with a GPG key when I already use an SSH key to authenticate myself when I push?][5]&quot;

&gt; When you authenticate to Github with your SSH key, that authentication doesn&#39;t become part of the repository in any meaningful or lasting way.  
It causes Github to give you access for the moment, but it doesn&#39;t *prove* anything to anyone who is not Github.
&gt;
&gt; When you GPG-sign a Git tag, that tag is part of the repository, and can be pushed to other copies of the repository.  
Thus, other people who clone your repository can verify the signed tag, assuming that they have access to your public key and reason to trust it.

  [1]: https://help.github.com/articles/connecting-to-github-with-ssh/
  [2]: https://help.github.com/articles/signing-commits-using-gpg/
  [3]: https://stackoverflow.com/users/7126793/vishwas-m-r
  [4]: https://stackoverflow.com/questions/51412164/gpg-vs-ssh-keys/51414662#comment125776236_51414662
  [5]: https://security.stackexchange.com/a/120725

Where is this error coming from? I am not using `ensureIndex` or `createIndex` in my Nodejs application anywhere. I am using yarn package manager.

Here is my code in `index.js`

    import express from &#39;express&#39;;
    import path from &#39;path&#39;;
    import bodyParser from &#39;body-parser&#39;;
    import mongoose from &#39;mongoose&#39;;
    import Promise from &#39;bluebird&#39;;
    
    dotenv.config();
    mongoose.Promise = Promise;
    mongoose.connect(&#39;mongodb://localhost:27017/bookworm&#39;, { useNewUrlParser: true });
    
    const app = express();

(node:63208) DeprecationWarning: collection.ensureIndex is deprecated. Use createIndexes instead

I am setting a configuration to run my tests in a create-react-app + typescript app (**from which I have ejected**). I am using jest + enzyme. In my tsconfig.json I have set `baseUrl=&#39;./src&#39;` so I can use absolute paths when I import modules. For example this is a typical import statement in one of my files:

    import LayoutFlexBoxItem from &#39;framework/components/ui/LayoutFlexBoxItem&#39;;

You can see that the path is absolute (from /src folder) and not relative. 
This works fine when I run in debug mode ( `yarn start` )

But when I run my test ( `yarn test` ), I get this error:

     Cannot find module &#39;framework/components/Navigation&#39; from &#39;index.tsx&#39;

So it looks like jest is not able to resolve this absolute path although I have set it up in my tsconfig.json. This is my tsconfig.json:

    {
      &quot;compilerOptions&quot;: {
        &quot;outDir&quot;: &quot;dist&quot;,
        &quot;module&quot;: &quot;esnext&quot;,
        &quot;target&quot;: &quot;es5&quot;,
        &quot;lib&quot;: [&quot;es6&quot;, &quot;dom&quot;],
        &quot;sourceMap&quot;: true,
        &quot;allowJs&quot;: true,
        &quot;jsx&quot;: &quot;react&quot;,
        &quot;moduleResolution&quot;: &quot;node&quot;,
        &quot;rootDir&quot;: &quot;src&quot;,
        &quot;forceConsistentCasingInFileNames&quot;: true,
        &quot;noImplicitReturns&quot;: true,
        &quot;noImplicitThis&quot;: true,
        &quot;noImplicitAny&quot;: true,
        &quot;strictNullChecks&quot;: true,
        &quot;suppressImplicitAnyIndexErrors&quot;: true,
        &quot;noUnusedLocals&quot;: true,
        &quot;baseUrl&quot;: &quot;./src&quot;    
      },
      &quot;exclude&quot;: [
        &quot;node_modules&quot;,
        &quot;build&quot;,
        &quot;dist&quot;,
        &quot;config&quot;,    
        &quot;scripts&quot;,
        &quot;acceptance-tests&quot;,
        &quot;webpack&quot;,
        &quot;jest&quot;,
        &quot;src/setupTests.ts&quot;
      ]
    }

Now I can see that there is a generated `tsconfig.test.json` at the root of my project. This is the ts configuration used for test. And here is its content:

    {
      &quot;extends&quot;: &quot;./tsconfig.json&quot;,
      &quot;compilerOptions&quot;: {
        &quot;module&quot;: &quot;commonjs&quot;
      }
    }

As you can see the &quot;module&quot; is `commonjs` here whereas in the default configuration it is `esnext`. Could this be one reason?

Has any one been able to unit test his typescript project with Jest and absolute path? or is this a known bug? Since I have ejected from default configuration, are there some settings to put in my webpack configuration?

Thanks for your input and suggestion.



Jest + Typescript + Absolute paths (baseUrl) gives error: Cannot find module

On GitHub, I want to add a key to associate my computer with my account and I am given two options: create an SSH or a GPG key. 

What is the difference between the two keys? and is there a preferred one to use?  
I understand how to create both by following the guide on the site but I don&#39;t know which one is better to use.

GPG vs SSH keys

On GitHub, I want to add a key to associate my computer with my account and I am given two options: create an SSH or a GPG key.
What is the difference between the two keys? and is there a preferred one to use? 
I understand how to create both by following the guide on the site but I don't know which one is better to use.

need pinned resolution feature of yarn, but also want to audit with `npm audit`? Is there a yarn alternative to `npm audit`? Or, alternately, will pinning resolutions of dependencies of dependencies work in `npm`?

is there a yarn alternative for npm audit?

It is known that SecureRandom class provide strong cryptographic security for generated random number. `java.util.Random` is insecure for the situation which requires cryptographic security. The typical usage of `SecureRandom` is:

    SecureRandom random = new SecureRandom();
    byte bytes[] = new byte[20];
    random.nextBytes(bytes);

However, I met a case:

    SecureRandom random = new SecureRandom();
    int number = random.ints();

The method `ints()` is inherited from the `java.util.Random` class. I am confused when `SecureRandom` which is a secure random number generator uses a method inherited from the insecure random number generator, whether it is secure?

Is SecureRandom.ints() secure?

As I&#39;m paranoid more with online breach, recently noticed that Google chrome elements upon click showing cursor blink and that&#39;s spooky. HTML page elements became editable?   It&#39;s not happening with Mozilla, and the extensions enabled on chrome are,
- Apollo Client Developer Tools,
- Authenticator
- Vue.JS Tools

On Firefox, it&#39;s allowing to select and no cursor blinks and that&#39;s the default behaviour.

Demo of problem:

[![GIF][1]][1]



  [1]: https://i.stack.imgur.com/jb4TA.gif

Google Chrome weird cursor blink on pages, never seen &#39;em before

With regard to the [Log4j][1] [JNDI][2] remote code execution vulnerability that has been identified [CVE-2021-44228][3]  - (also see references) - I wondered if [Log4j-v1.2][4] is also impacted, but the closest I got from source code review is the [JMS-Appender][5].

The question is, while the posts on the Internet indicate that Log4j 1.2 is also vulnerable, I am not able to find the relevant source code for it.

Am I missing something that others have identified?

Log4j 1.2 appears to have a vulnerability in the [socket-server][6] class, but my understanding is that it needs to be enabled in the first place for it to be applicable and hence is not a passive threat unlike the JNDI-lookup vulnerability which the one identified appears to be.

***Is my understanding - that Log4j v1.2 - is not vulnerable to the jndi-remote-code execution bug correct?***

### References

 * *[Apache Log4j Security Vulnerabilities][7]*

 * *[Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet][8]*

 * *[Worst Apache Log4j RCE Zero day Dropped on Internet][9]*

 * *[‘Log4Shell’ vulnerability poses critical threat to applications using ‘ubiquitous’ Java logging package Apache Log4j][10]*

This [blog post from Cloudflare][11] also indicates the same point as from [AKX][12]....that it was introduced from Log4j 2!

**Update #1** - A fork of the (now-retired) apache-log4j-1.2.x with patch fixes for few vulnerabilities identified in the older library is now available (from the original log4j author). The site is https://reload4j.qos.ch/. As of 21-Jan-2022 version 1.2.18.2 has been released. Vulnerabilities addressed to date include those pertaining to [JMSAppender][13], [SocketServer][14] and [Chainsaw][15] vulnerabilities. Note that I am simply relaying this information. Have not verified the fixes from my end. Please refer the link for additional details.


  [1]: https://en.wikipedia.org/wiki/Log4j
  [2]: https://en.wikipedia.org/wiki/Java_Naming_and_Directory_Interface
  [3]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
  [4]: https://dlcdn.apache.org/logging/log4j/1.2.17/log4j-1.2.17.zip
  [5]: https://github.com/kikonen/log4j-share/blob/master/src/main/java/org/apache/log4j/net/JMSAppender.java
  [6]: https://github.com/kikonen/log4j-share/blob/master/src/main/java/org/apache/log4j/net/SocketServer.java
  [7]: https://logging.apache.org/log4j/2.x/security.html
  [8]: https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
  [9]: https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html
  [10]: https://portswigger.net/daily-swig/log4shell-vulnerability-poses-critical-threat-to-applications-using-ubiquitous-java-logging-package-apache-log4j
  [11]: https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/
  [12]: https://stackoverflow.com/users/51685/akx
  [13]: https://cve.report/CVE-2021-4104
  [14]: https://cve.report/CVE-2019-17571
  [15]: https://cve.report/CVE-2022-23307

Log4j vulnerability - Is Log4j 1.2.17 vulnerable (was unable to find any JNDI code in source)?

I have a pull request, build passed on VSTS, but another check &quot;Expected - Waiting for status to be reported&quot; never succeeds, no matter how many times I try to trigger build. I had many other pull requests with no issues.

I am not sure how to tackle this problem, how to debug this? There is no specific info than this:
[![enter image description here][1]][1]


  [1]: https://i.stack.imgur.com/xHqbI.png

Where should I check first to resolve this?

Github pull request - Waiting for status to be reported

I&#39;m currently using GitHub with a basic Jenkins integration (with the GitHub plugin): each time I push something, my Jenkins tests are triggered and the status is reported to GitHub.

For some dirty reasons (and I know the root cause is here), my tests could randomly fail and then report a failed status to GitHub (which blocked the possibility to merge the PR: and that&#39;s the expected behavior).

Do you know if it&#39;s possible to relaunch the tests without pushing a new commit? Because I know if I relaunch the tests, they will pass.


How to relaunch GitHub check without pushing new commits?

I want to know what happens if the original repository is deleted when there are different forks. Do the forks stay on GitHub, or are the forks also deleted?

What happens to the forks when deleting the original repository?

I mean I want to create one rule and specify multiple branches like `dev|master`. But after seeing the doc, I think it is impossible?? Do I have to create two rules just in order to use the same rule to protect two branches?

How to apply one github branch rule to multiple branches?

My question is about cleaning up the &quot;Environments&quot; tab on a Github repository.

I previously deployed via Heroku, using automatic deployment from two separate Github branches (one for staging, one for production).

This created a tab &quot;Environments&quot; on the repository, in which both Heroku environments were shown - exactly as intended.

Once I started to dive into Heroku pipelines, I have now configured the app to be promoted to production from staging, so the production environment no longer auto-deploys from a branch.

The Environments tab on my Github repo has no way to remove the environment that I no longer use. I can&#39;t seem to find any place on Github or Heroku to make Github &quot;forget&quot; this deployment environment.

I hope my question is clear enough; if I can elaborate on anything, please let me know.

How to remove a Github Environment

When I try to start the ssh-agent on Windows 10 via PowerShell (with elevated right or without) by entering `Start-Service ssh-agent` I get the error

&gt; unable to start ssh-agent service, error :1058

When I check of the service is running via `Get-Service ssh-agent` is returns that the service is stopped.

How can I get the ssh-agent running?

Starting ssh-agent on Windows 10 fails: &quot;unable to start ssh-agent service, error :1058&quot;

I use to connect to EC2 container instances following this steps, https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance-connect.html wondering how I can connect to FARGATE-managed container instances instead.

Is it possible to SSH into FARGATE managed container instances?

I&#39;m using the following code to work with Git in a Java application. 
I have a valid key (use it all the time), and this specific code has work for me before with the same key and git repository, but now I get the following exception:

&gt; invalid privatekey: [B@59c40796.

At this line:

    jSch.addIdentity(&quot;&lt;key_path&gt;/private_key.pem&quot;);


My full code:

        String remoteURL = &quot;ssh://git@&lt;git_repository&gt;&quot;;
        TransportConfigCallback transportConfigCallback = new SshTransportConfigCallback();
        File gitFolder = new File(workingDirectory);
        if (gitFolder.exists()) FileUtils.delete(gitFolder, FileUtils.RECURSIVE);

        Git git = Git.cloneRepository()
                .setURI(remoteURL)
                .setTransportConfigCallback(transportConfigCallback)
                .setDirectory(new File(workingDirectory))
                .call();
    }


    private static class SshTransportConfigCallback implements TransportConfigCallback {
        private final SshSessionFactory sshSessionFactory = new JschConfigSessionFactory() {
            @Override
            protected void configure(OpenSshConfig.Host hc, Session session) {
                session.setConfig(&quot;StrictHostKeyChecking&quot;, &quot;no&quot;);
            }

            @Override
            protected JSch createDefaultJSch(FS fs) throws JSchException {
                JSch jSch = super.createDefaultJSch(fs);
                jSch.addIdentity(&quot;&lt;key_path&gt;/private_key.pem&quot;);

                return jSch;
            }
        };



After searching online, I&#39;ve change createDefaultJSch to use pemWriter:

    @Override
    protected JSch createDefaultJSch(FS fs) throws JSchException {
        JSch jSch = super.createDefaultJSch(fs);
        byte[] privateKeyPEM = null;

        try {
            KeyFactory keyFactory = KeyFactory.getInstance(&quot;RSA&quot;);

            List&lt;String&gt; lines = Files.readAllLines(Paths.get(&quot;&lt;my_key&gt;.pem&quot;), StandardCharsets.US_ASCII);
            PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(Base64.getDecoder().decode(String.join(&quot;&quot;, lines)));
            RSAPrivateKey privKey = (RSAPrivateKey) keyFactory.generatePrivate(privSpec);

            PKCS8Generator pkcs8 = new PKCS8Generator(privKey);

            StringWriter writer = new StringWriter();
            PemWriter pemWriter = new PemWriter(writer);
            pemWriter.writeObject(pkcs8);

            privateKeyPEM = writer.toString().getBytes(&quot;US-ASCII&quot;);

        } catch (Exception e) {
            e.printStackTrace();
        }

        jSch.addIdentity(&quot;git&quot;, privateKeyPEM, null, null);

        return jSch;
    }

But still getting *&quot;invalid privatekey&quot;* exception.

&quot;Invalid privatekey&quot; when using JSch

(I am using MAC)

My id_rsa starts with

    -----BEGIN OPENSSH PRIVATE KEY-----

but I expect it to starts with 

    -----BEGIN RSA PRIVATE KEY-----

I have send my id_rsa.pub to server administrator to get the access to server, so I don&#39;t want to generate a new key. 

1. Is there any way that I can transfer my id_rsa which is a openssh private key to a RSA private key?  (command please.)

2. If I can transfer, do I also need to transfer id_rsa.pub? (command please.) It seems id_rsa.pub doesn&#39;t have a header like id_rsa, so I am not sure if I should also transfer this.



Openssh Private Key to RSA Private Key

I have a fairly basic scenario. I made a dedicated ssh key for this purpose and added it to my repository secrets.

1. Code gets pushed to `master`

2. GitHub action uploads it to server using `ssh` by doing `echo &quot;${{ secrets.SSH_KEY }}&quot; &gt; key`.

3. After that I can use this key to connect to my server e.g. `ssh -i key devops@myserver.com lsb_release -a`

The problem is that for some reason GitHub actions cannot write it to file, it writes characters `***` instead of the actual secret value into the file. Therefore obviously I cannot connect to my server.

How can I connect with ssh using this secret? Is there a way to connect without using a file? Can someone who did this common scenario using GitHub actions shed some light?

How can I extract secrets using GitHub Actions?

I use vscode with remote-ssh to connect my server, after configuring, I want to connect my host, but it failed, the dialog box display:&quot;could not establish connection to XX, The process tried to write to a nonexistent pipe.&quot;

output:
```
[16:45:20.916] Log Level: 3
[16:45:20.936] remote-ssh@0.49.0
[16:45:20.936] win32 x64
[16:45:20.944] SSH Resolver called for &quot;ssh-remote+aliyun&quot;, attempt 1
[16:45:20.945] SSH Resolver called for host: aliyun
[16:45:20.945] Setting up SSH remote &quot;aliyun&quot;
[16:45:21.012] Using commit id &quot;c47d83b293181d9be64f27ff093689e8e7aed054&quot; and quality &quot;stable&quot; for server
[16:45:21.014] Install and start server if needed
[16:45:21.019] Checking ssh with &quot;ssh -V&quot;
[16:45:21.144] &gt; OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
[16:45:21.214] Running script with connection command: ssh -T -D 5023 aliyun bash
[16:45:21.221] Terminal shell path: C:\WINDOWS\System32\cmd.exe
[16:45:21.504] &gt; 
&gt; 
&gt;
&gt; ]0;C:\WINDOWS\System32\cmd.exe
[16:45:21.505] Got some output, clearing connection timeout
[16:45:21.577] &gt; 
&gt; 
&gt;
&gt; 
[16:45:21.592] &gt; Bad owner or permissions on C:\\Users\\DY/.ssh/config
&gt; 
[16:45:21.689] &gt; The process tried to write to a nonexistent pipe.
&gt; 
[16:45:22.091] &quot;install&quot; terminal command done
[16:45:22.092] Install terminal quit with output: The process tried to write to a nonexistent pipe.
[16:45:22.093] Received install output: The process tried to write to a nonexistent pipe.
[16:45:22.096] Resolver error: The process tried to write to a nonexistent pipe
[16:45:22.107] ------

```




VScode remote connection error: The process tried to write to a nonexistent pipe

I started using gnupg. An error occurs when trying to import a key from any server:

    @ubuntu:~/Desktop$ gpg --keyserver keys.gnupg.net --recv-key 908F435E
    gpg: keyserver receive failed: No name



Content Type	Original Author	Original Content on Stackoverflow
Question	Domenick	View Question on Stackoverflow
Solution 1 - Security	VonC	View Answer on Stackoverflow

GPG vs SSH keys

Security Problem Overview

Security Solutions

Solution 1 - Security

Jest + Typescript + Absolute paths (baseUrl) gives error: Cannot find module

(node:63208) DeprecationWarning: collection.ensureIndex is deprecated. Use createIndexes instead

Attributions